The subject matter of the present application relates generally to processor-based systems, and, more particularly, to detecting intrusions in a processor-based system.
Virtually all modern processor-based systems from smart phones to personal computers to mainframes are physically, electronically, and/or communicatively interconnected using networks such as the Internet, intranets, and the like. Although interconnecting computers provides enormous advantages, e.g., by facilitating communication between the computers, networked computers are also vulnerable to intruders. Intruder code may be defined as a software program that executes without authorization and/or illegally on the hardware of the processor-based system. Intruders can include computer viruses, computer worms, Trojan horses, spyware, adware, malware, and the like. A computer virus is a computer program that can replicate itself and spread from one computer to another. A worm is a computer program that can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a computer system's data or performance. Some viruses and other malware have symptoms that can be observed or detected by the computer user, but many are surreptitious and may do nothing obvious while they are on the computer system. Some viruses do nothing beyond reproducing themselves.
Viruses, worms, and other intruders can be detected after they have infected a computer, e.g., using antivirus software. Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for virus signatures. A signature is a characteristic byte-pattern that is part of a virus or family of viruses. If a virus scanner finds a known virus pattern in a file, it notifies the user that the file is infected. More sophisticated viruses can avoid detection by modifying their structure to conceal their characteristic byte patterns. In some cases the virus can modify portions of itself on each infection so that no byte pattern is repeated in different instances of the virus and no characteristic pattern is produced. For example, one type of virus uses a different key to encrypt different instances of the virus so that the only part of the virus that remains constant is a decrypting module used to decode the virus when it infects a file or system. For another example, polymorphic code may be used to create a polymorphic virus that infects files with an encrypted copy of itself, which is decoded by a decryption module. However, the decryption module in a polymorphic virus is also modified on each infection. A well-written polymorphic virus therefore has no parts that remain identical between infections, making it very difficult to detect the polymorphic virus using virus signatures.
A detected virus or other intruder can be eliminated from the computer system, e.g., by removing the intruder code and by looking for a match between the intruder code and segments of the existing object codes on the computer system and/or other computer systems. Matching intruder code segments can then be removed. However, a posteriori removal of intruder code has a number of disadvantages. For example, damage done by the intruder code such as erasing or modifying files may not be reparable, particularly when the damage is extensive. For another example, the intruder code may be able to replicate itself and infect other systems before it is detected by the antivirus software. The elimination process only removes the intruder from the current system and any other systems that are specifically searched by the antivirus software, but allows the intruder to live on in other systems that are not searched by the antivirus software.